Internet Security and Acceleration (ISA) Server is Microsoft's enterprise-level network firewall and Web-caching server. ISA Server 2000 was Microsoft's first leap into the network firewall market, and ISA Server 2004 builds on ISA Server 2000's success as an intelligent application-layer firewall.
You can install the ISA Server software on a Windows Server 2003 or Windows 2000 Server computer. One of ISA Server's advantages is that its management interface uses the same Microsoft Management Console (MMC) interface as other Windows administrative applications. Thus, ISA Server is easy to install and configure for anyone experienced with Microsoft network administration. Another advantage is ISA Server's extensibility from both the hardware and software perspectives. You can easily upgrade the hardware with more memory and hard disk space, and you can install multiple software add-ons to provide a one-box firewall solution. The hardware extensibility saves the cost of high-dollar proprietary hardware upgrades, and the one-box software solution improves performance and lets you quickly and easily update the firewall software to rapidly respond to an evolving attack environment. Let's look at the strengths and weaknesses of ISA Server 2000 and ISA Server 2004 and how you can use third-party products to bolster ISA Server's capabilities.
ISA Server 2000 Key Features
Several features set ISA Server 2000 apart from other enterprise-class network firewalls, including:
Application-layer inspection is essential in a complex network environment. The packet-filtering technology that traditional firewalls use can't protect against application-layer attacks such as worms that hide malicious code inside legitimate protocols. ISA Server filters at the packet, circuit, and application layers. ISA Server can perform deep application-layer inspection for incoming HTTP connections by using a version of URLScan that you install on the ISA Server firewall. Extending URLScan protection to the network perimeter stops exploits at the firewall so that they never reach the Web server.
ISA Server 2000's application-layer filtering provides a unique level of protection for Microsoft Exchange Server and Microsoft Outlook Web Access (OWA). Unlike other firewalls that pass Secure Sockets Layer (SSL) connections from the Internet host to the OWA site without inspecting the communications inside the SSL tunnel, ISA Server "unwraps" the encrypted SSL content and exposes it to URLScan and other HTTP application filters to block attacks that would otherwise sneak through the SSL tunnel.
The unsung hero of ISA Server 2000 is Firewall Client, client software that communicates directly with the Firewall service on the ISA Server machine and is thus independent from the routing infrastructure. Firewall Client sends the username and the name of the executable application on the client that issued the request to the firewall so that the firewall can log the information and include it in reports.
ISA Server 2000 integrates with Windows 2003 and Win2K VPN features and makes setting up VPN configurations in a tightly integrated firewall/VPN solution easy. Built-in VPN wizards simplify the creation of a VPN server for remote-access VPN clients or a VPN gateway for site-to-site VPN links. Other popular firewall/VPN solutions charge extra for VPN client licenses, but ISA Server uses the Microsoft PPTP and Layer Two Tunneling Protocol (L2TP) clients that come with every modern Windows OS.
Web caching speeds up Internet access and can reduce bandwidth consumption on the Internet link. ISA Server 2000 sports a fast cache engine that stores cached Web content in two places: a very fast RAM-based cache and an optimized disk-based cache database. Users access Web content from cache instead of waiting for distant Web servers to return requested content. Reverse caching speeds access to your own Web servers for outside users.
Bandwidth-intensive applications such as peer-to-peer (P2P) software can bring the corporate Internet link to its knees. ISA Server 2000 lets you set bandwidth priorities so that bandwidth required for mission-critical network applications is available when needed. Figure 1 shows the ISA Server 2000 management interface.
ISA Server 2004's New Features
As good as ISA Server 2000 is, it has some limitations. ISA Server 2004 addresses many of the previous version's limitations by adding
ISA Server 2000 assumes that all networks or subnets on the corporate network are equally trusted. For example, you might install three network interfaces on your ISA Server 2000 firewall—one for the Internet link and the other two for LAN connections. ISA Server 2000 assumes that both LAN connections are trusted networks and doesn't let you apply firewall policy to these interfaces. ISA Server 2004's multinetworking feature fixes this problem. Firewall policy is applied to all ISA Server 2004 interfaces, and access rules control all traffic moving between any two interfaces. The concept of a trusted network is gone, and ISA Server 2004's powerful stateful filtering and stateful inspection engines examine all traffic.
Many installations must have the ISA Server 2000 firewall in the same domain as the users to avoid authentication problems. This configuration isn't optimal because if the firewall is compromised, the attacker can leverage the firewall's domain-member status to attack corporate network resources. ISA Server 2004 enables Remote Authentication Dial-In User Service (RADIUS) authentication for Web cache and VPN clients. RADIUS lets ISA Server 2004 authenticate users that belong to any RADIUS-compliant directory. You can use the Microsoft Internet Authentication Server (which is a RADIUS server) to connect to the Active Directory (AD) user database.
HTTP filtering in ISA Server 2000 is limited to URLScan and URL blocking. URLScan protects corporate-network Web servers that you've made available to Internet users, and URL blocking blocks Web sites based on a list of banned URLs that you create. ISA Server 2004 inspects all components of an HTTP communication. You can block or allow HTTP (and SSL) communications based on any characteristic of an HTTP message moving through the firewall. Thus, blocking P2P and multimedia applications that use HTTP as their transport is simple.
Branch-office implementations of ISA Server 2000 are severely limited because it doesn't support IPSec tunnel mode for site-to-site VPN links. ISA Server 2004 has an IPSec site-to-site tunnel mode wizard that sets up the remote network, the IPSec encryption parameters, and the shared secret. Now you can place ISA Server systems at branch offices and create IPSec tunnel-mode connections from them to any third-party VPN server or concentrator.
Most organizations prefer to place VPN servers behind a firewall so that the firewall can control who has access to the VPN servers. ISA Server 2000 supports placing IPSec Network Address Translation (NAT) Traversal VPN servers but not PPTP VPN servers behind the firewall. The new and improved PPTP application-layer filter in ISA Server 2004 lets you publish PPTP VPN servers and allows outbound PPTP connections from behind the firewall. Figure 2 shows ISA Server 2004's interface.
Making a Good Thing Better
In spite of all the improvements ISA Server 2004 brings to the table, third-party add-on applications can enhance ISA Server even more. Some of these added functionalities include
The products named below and in Table 1 work with ISA Server 2000, and almost all have been or will be updated or won't require updating for ISA Server 2004. You can find a complete listing of third-party ISA Server products at http://www.microsoft.com/isaserver/partners/default.asp.
Tracking and reporting of application layer inspection results and blocking of IM and P2P applications.
IM is an effective tool for business communication when used properly but can present a significant security risk if not controlled, monitored, and logged. Akonix L7 Enterprise for ISA Server lets you monitor all IM communications moving through the firewall. Deep application-layer inspection lets L7 block messages that contain forbidden words or file attachments. You can control who can use IM and when they can use it. You can log all information passed through the IM channel and analyze it for key words and phrases. You can analyze files being transferred for key words and viruses, or you can write a policy to stop file transfers completely.
L7 also watches for P2P network connections and file transfers, which use unacceptable amounts of network bandwidth and put the company at risk if copyrighted content is discovered on company computers. L7 blocks access to P2P file-sharing services such as Sharman Networks' Kazaa and logs information about users who attempt to access these services.
You install L7 as an application filter on the ISA Server computer or on another machine on the network. Installation and setup are wizard-driven, as is policy configuration. You manage L7 through an intuitive MMC interface.
Support for multiple Internet connections.
Many ISA Server customers would like to be able to aggregate multiple inexpensive broadband connections into one faster, more reliable connection, but ISA Server doesn't support multiple Internet links because the Microsoft Windows TCP/IP stack doesn't allow per-interface gateway configuration. Rainfinity's RainConnect for Microsoft ISA Server solves this problem by redirecting communications through RainConnect.
After you install RainConnect on ISA Server, it transparently routes traffic to other available links when one connection goes down and aggregates the bandwidth of all the lines. For example, if you install a 1.5Mbps DSL line and a 1.5Mbps cable line, RainConnect gives you a 3Mbps connection to the Internet through ISA Server.
Inexpensive small office/home office (SOHO) NAT routers provide bandwidth aggregation and link failover similar to that of RainConnect but don't provide failover for published network servers. RainConnect lets you publish VPN, SMTP, POP3, and IMAP4 servers with failover for the connection.
Improved high availability and bandwidth control.
Rainfinity's RainWall for Microsoft ISA Server is a software-based Network Load Balancing (NLB) product. You install RainWall on the ISA Server system—it doesn't require separate hardware to provide real-time failover and load balancing. Whereas RainConnect provides high availability and failover for Internet links, RainWall provides load balancing and failover for ISA Server itself.
RainWall has a wizard-driven installation process. After you install RainWall on the first server, subsequent array members on which you install the software detect the presence of the RainWall array and automatically configure themselves. You configure and manage the RainWall cluster through an easy-to-use MMC snap-in. Pairing RainWall and RainConnect on an ISA Server system provides an extremely effective high-availability solution for both the Internet links and firewall device at a fraction of the cost of hardware load balancers.
Radware's FireProof is a hardware network switch that uses information from a packet's network layers 4 through 7 to make intelligent routing decisions for that packet. Conventional packet-filter-analyzing application switches make decisions based on source and destination IP addresses and port numbers. FireProof quickly analyzes the true nature of the traffic and provides high availability and traffic prioritization for ISA Server. You can use FireProof in conjunction with Radware's LinkProof to provide high availability for inbound and outbound access through ISA Server, along with intelligent application-layer bandwidth shaping (i.e., dedicating Internet-connection bandwidth to specific application-layer protocols).
F5 Networks' BIG-IP Application Switches are popular among large organizations and ISPs for their high-performance bandwidth-control features. BIG-IP Application Switches can perform application-layer traffic control, load balancing, and system health-checking for multiple ISA Server systems. BIG-IP Application Switches can control which traffic goes to which ISA Server and direct connections to ISA Servers that have lighter loads.
Enhanced site blocking and Web filtering.
SurfControl is a leader in Web content and access control. As with many other Web filters designed to work with ISA Server, you install SurfControl Web Filter for Microsoft ISA Server as an Internet Server API (ISAPI) Web filter, which integrates it with ISA Server's Web Proxy component. ISA Server's built-in Site and Content rule feature gives you some control over which sites and Web content users access through the firewall, but SurfControl increases your ability to control, monitor, and log Web access by orders of magnitude. You can control access on a per-user or per-group basis for specific sites, content, and keywords. You can set bandwidth quotas that block or restrict users who exceed a predefined amount of bandwidth usage. A real-time monitor and more than 50 report templates round out SurfControl's list of features.
Burst Technology's bt-WebFilter provides a wide array of features that lets you get a fine bead on access control and analysis. You can control access to Web sites based on 48 categories of objectionable topics. You can give specified groups access to Web sites and deny access to other groups.You can set limits on bandwidth usage and time online. To configure and manage bt-WebFilter you use wizards and a familiar-looking MMC interface.
CornerPost Software's Chaperon 2000, which is popular in secondary schools and universities, also provides impressive Web content access control. Chaperon 2000 can immediately notify a security administrator when a user attempts to access forbidden Web sites. Chaperon 2000 can also assess whether a malicious user is attempting to circumvent the filters by methods such as SSL tunneling to anonymous Web proxies. If the user is successful, the product flags the attempt and informs you of a possible security problem. What's really impressive is that Chaperon updates its list of blocked Web sites every 2 hours.
Virus scanning of Web downloads.
GFI Software's GFI DownloadSecurity for ISA Server uses multiple antivirus engines, including Norman Virus Control and SOFTWIN's BitDefender, to inspect HTTP and HTTP-tunneled FTP downloads for viruses. You can add McAfee Security's VirusScan for an additional cost. You can also block files according to MIME type and file extension. You manage GFI DownloadSecurity from an MMC snap-in and from a Web-based applet. GFI DownloadSecurity also lets you perform real-time monitoring of Web downloads.
Symantec AntiVirus for Microsoft Internet Security and Acceleration (ISA) Server includes antivirus protection for HTTP and HTTP-tunneled downloads and adds an SMTP antivirus feature. You install Symantec AntiVirus on the ISA Server system, where it employs Symantec's time-tested antivirus techniques. Symantec AntiVirus strips viruses from downloaded files, then sends the files on to users; alternatively, you can configure the application to quarantine infected downloads for later inspection. When Symantec AntiVirus detects a virus in an email message, it can send an email alert to security administrators or use SNMP monitoring and set trap messages to send an alert to an SNMP management station.
Spam blocking and email virus scanning.
ISA Server's SMTP Message Screener enables basic SMTP filtering according to keyword and file-attachment information. GFI provides more sophisticated spam blocking and virus control with a pair of powerful products. GFI MailEssentials for Exchange/SMTP is an effective spam-blocking application that uses Bayesian analysis and other methods to stop spam at the perimeter. You can use GFI MailEssentials for both inbound and outbound SMTP relay to stop spam from entering or leaving the network.
GFI MailSecurity for Exchange/SMTP extends GFI MailEssentials's antispam features by adding multiple antivirus engines. GFI MailSecurity exposes SMTP messages to three antivirus engines, then hands them to GFI's unique Trojan horse and executable-file scanners, which use artificial intelligence (AI) to determine whether messages contain exploits that the antivirus engines can't yet detect. You can install both GFI MailEssentials and GFI MailSecurity on ISA Server to provide a one-two punch against spam and email-borne viruses.
Enhanced log analysis and reporting.
Burst Technology's bt-LogAnalyzer categorizes and reports on incoming and outgoing email and Web content. Web activity is divided into prebuilt categories, such as hacking, shopping, and sports. Email usage reports identify the most active sending and receiving addresses and domains and the amount of bandwidth that each Active Directory (AD) user and group consumed. In addition to choosing from a wide selection of canned reports, you can create a custom report. You can automate report generation and specify output as HTML or XML.
WebSpy Analyzer Standard can import up to 2GB of logs and convert them into log summaries that the WebSpy reporting tools use for log analysis. WebSpy has many preconfigured reports and a report-builder wizard that helps you create custom reports. You can save reports in comma-separated value (CSV), HTML, or Microsoft Word (.doc) format. You can post the HTML files to a Web server for easy viewing anywhere on the intranet or Internet.
SOCKS 5.0 support.
CornerPost Software's Surrogate Socket 5.0 lets SOCKS 5.0-compatible machines and applications dynamically access the Internet from behind ISA Server. ISA Server supports SOCKS 4.3, but that SOCKS version doesn't support user authentication for outbound access control. Surrogate Socket 5.0 adds this feature and others that SOCKS 5.0 supports.
Support for two-factor authentication.
Authenex AOne pairs ISA Server with Authenex Strong Access Control (ASAC) and Authenex Strong Authentication System (ASAS) on the back end and the Authenex A-Key on the front end to provide strong two-factor access control to Web and VPN services. The A-Key is a hardware token that plugs into any USB port on the client. You can configure Authenex AOne such that users must have an A-Key plugged into the client device at all times when using an authenticated connection. ASAC enables strict access control according to time, destination, or requested content. The management interface is exceptionally well designed and works within the ISA Management console.
RSA Security's RSA SecurID is a two-factor user-authentication solution that requires a user to have an authentication password and to present a token to authenticate with the firewall before accessing Web sites on the corporate network. When you use the RSA SecurID token with RSA Security's RSA ACE/Agent on the ISA Server 2004 firewall and RSA Security's RSA/ACE Server software on the back end, the token works like an ATM card to provide secure remote access to Web sites behind ISA Server. In addition, you can use RSA SecurID to support two-factor authentication for VPN remote-access connections.
Support for an SSL VPN.
Many corporate firewalls close off all outbound ports except for TCP 80 and 443, rendering the ports and protocols required to support true network-layer VPN connections inaccessible. SSL VPNs provide an SSL-secured remote-access solution that simulates the functionality of a network-layer VPN. Everywhere Networks' FileWay lets remote users connect to file shares through a secure SSL connection. FileWay integrates with SSL OWA and gives users access to Exchange mail and to files located on corporate file servers or even desktop machines. A Web interface simplifies assigning approved network resources based on AD users and groups.
ISA Server provides effective and flexible network firewall protection with advanced application layer filtering right out of the box. But you can make a good thing better. Each of the extensions and add-ons discussed in this article can move your ISA Server firewall to the next level of network security.